DOMPurify
by cure53
DOMPurify is a fast, tolerant, and secure JavaScript library that sanitizes HTML, MathML, and SVG to prevent XSS attacks in web applications.
DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:
Primary Use Case
DOMPurify is primarily used by web developers and security professionals to sanitize untrusted HTML input and prevent cross-site scripting (XSS) vulnerabilities in web applications. It is ideal for scenarios where user-generated content needs to be safely rendered in browsers without risking malicious code execution.
- Sanitizes HTML, MathML, and SVG to prevent XSS attacks
- Super-fast and highly tolerant DOM-only sanitizer
- Works in all modern browsers and Node.js environments
- Configurable with hooks and profiles for tailored sanitization
- Supports secure defaults with options for customization
- Extensive automated testing across 28 browsers and multiple Node.js versions
- Maintained by security experts with a clear threat model
- Backward compatibility with MSIE via 2.x branch
Installation
- Include the unminified version in your HTML: <script type="text/javascript" src="dist/purify.js"></script>
- Or include the minified production version: <script type="text/javascript" src="dist/purify.min.js"></script>
- For module-based environments, install via npm and import: import DOMPurify from 'dompurify';
Usage
>_ const clean = DOMPurify.sanitize(dirty);Sanitizes a dirty HTML string and returns a clean, safe HTML string.
>_ import DOMPurify from 'dompurify';Imports DOMPurify for use in module-based JavaScript environments like Angular.
>_ const clean = DOMPurify.sanitize(dirty, { USE_PROFILES: { html: true } });Sanitizes input allowing only HTML content, excluding SVG and MathML.
- Integrate DOMPurify into CI/CD pipelines to automate XSS vulnerability prevention early in development.
- Combine with Content Security Policy (CSP) headers for layered defense against XSS attacks.
- Use DOMPurify hooks to customize sanitization for complex user-generated content scenarios.
- Train development teams on secure coding practices using DOMPurify as a practical example.
- Leverage DOMPurify in bug bounty programs to reduce false positives related to XSS findings.
Docs Take 2 Hours. AI Takes 10 Seconds.
Ask anything about DOMPurify. Installation? Config? Troubleshooting? Get answers trained on real docs and GitHub issues—not generic ChatGPT fluff.
3 free chats per tool • Instant responses • No credit card
Related Tools
caddy
caddyserver/caddy
Fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS
nginx
nginx/nginx
The official NGINX Open Source repository.
nginxconfig.io
digitalocean/nginxconfig.io
⚙️ NGINX config generator on steroids 💉
SafeLine
chaitin/SafeLine
SafeLine is a self-hosted WAF(Web Application Firewall) / reverse proxy to protect your web apps from attacks and exploits.
anubis
TecharoHQ/anubis
Weighs the soul of incoming HTTP requests to stop AI crawlers
ffuf
ffuf/ffuf
Fast web fuzzer written in Go